Switch to signing with cosign instead of skopeo.

2023-08-08 21:36:15 -04:00 · 2023-08-08 21:36:15 -04:00 · 688ea42e72
parent b4270ae3ff
commit 688ea42e72
2 changed files with 12 additions and 16 deletions
--- a/generic-tasks/j7s-buildah.yaml
+++ b/generic-tasks/j7s-buildah.yaml
@ -28,29 +28,20 @@ spec:
      set -x
      # Login
      buildah login --tls-verify=false --username=$USERNAME --password=$PASSWORD $(params.registry)
-      # Setup cosign.
-      mkdir -p ~/.sigstore
-      cp /etc/cosign-credentials/* ~/.sigstore
-      cat <<EOF > ~/.sigstore/param-file.yaml
-      privateKeyFile: "$HOME/.sigstore/cosign.key"
-      privateKeyPassphraseFile: "$HOME/.sigstore/cosign.password"
-      EOF
-      mkdir -p /etc/containers/registries.d/
-      cat <<EOF > /etc/containers/registries.d/james-registry.yaml
-      docker:
-         $(params.registry):
-            use-sigstore-attachments: true
-      EOF
+      cosign login --username=$USERNAME --password=$PASSWORD $(params.registry)
      # Build
      buildah --storage-driver=overlay bud --tls-verify=false --no-cache \
        -f $(params.containerfile)  -t $(params.name):$(params.version) .
      # Push
-      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
+      skopeo copy --debug --dest-tls-verify=false \
              containers-storage:localhost/$(params.name):$(params.version) \
              docker://$(params.registry)/$(params.name):$(params.version)
-      skopeo copy --debug --dest-tls-verify=false --sign-by-sigstore=$HOME/.sigstore/param-file.yaml \
+      skopeo copy --debug --dest-tls-verify=false \
              containers-storage:localhost/$(params.name):$(params.version) \
              docker://$(params.registry)/$(params.name):latest
+
+      export COSIGN_PASSWORD=$(cat /etc/cosign-credentials/cosign.password)
+      cosign sign --allow-insecure-registry --key /etc/cosign-credentials/cosign.key docker://$(params.registry)/$(params.name):$(params.version)
    env:
    - name: USERNAME
      valueFrom:
--- a/images/Dockerfile_buildah
+++ b/images/Dockerfile_buildah
@ -4,3 +4,8 @@ FROM quay.io/buildah/upstream:latest
 RUN dnf install -y skopeo \
    --exclude container-selinux \
    --enablerepo=updates-testing
+
+# Add wget, use it to install cosign.
+RUN dnf install -y wget && \
+    wget https://github.com/sigstore/cosign/releases/download/v2.1.1/cosign-2.1.1.x86_64.rpm && \
+    rpm -ivh cosign*.rpm